Security considerations in PolicyKit-enabled daemons
David Zeuthen
david at fubar.dk
Tue Jul 14 08:47:41 PDT 2009
On Tue, 2009-07-14 at 14:40 +0100, Richard Hughes wrote:
> I've spent a few minutes writing up some documentation about security
> and PackageKit. These notes probably apply to most of the PolicyKit
> enabled daemons, and they might be useful to somebody. I'm also not
> sure whether my concern over a custom "always authenticate" session
> helper is valid, as I admit i don't fully understand the setuid aspect
> of the session helpers. I would appreciate review from any of you on
> this list.
>
> Please bear in mind it's work in progress:
> http://cgit.freedesktop.org/packagekit/plain/docs/security.txt
This sounds like a good idea; some comments
- nitpick: It's D-Bus, not D-BUS or DBus
- nitpick: it's polkitd-1, not polkit-daemon-1. But generally you
should refer to either org.freedesktop.DBus.PolicyKit1 or (better)
"PolicyKit Authority" when talking about polkit interactions. E.g.
the name of the binary or the D-Bus service name are mostly just
implementation details...
- It might be good to put this kind of information in a man page; I've
done something similar for polkit itself here
http://hal.freedesktop.org/docs/polkit/
http://hal.freedesktop.org/docs/polkit/PolicyKit-1.8.html
which is still work-in-progress. There probably should be some more
discussion about how to choose the defaults for implicit
authorizations e.g. when to choose "auth_admin" and when to choose
"auth_self_keep" etc.
- How about replacing
"the daemon asks polkit-daemon-1 for authentication, which then
blocks until the authentication is completed. This is handled
asynchronously, and the daemon can process other requests whilst
waiting for user input."
with
"The daemon checks with the PolicyKit Authority for whether the
client is authorized for the action the client wants to perform.
This may involve having the user authenticate that he is either
the user (by authenticating with his password) or that he is
an administrative user (by authenticating with the root
password or the password of a user designated as an
administrative user). The authorization check can take a while
and the daemon can process other requests whilst waiting for
user input."
It's much longer and a bit terse but it's also a lot more accurate.
Would probably be good to include a link to the PolicyKit-1 man page
that explains (is supposed to, anyway) the system architecture being
used (see below).
- It might be worth going over each registered PolicyKit action and
explaining why the default implicit authorizations (e.g.
auth_admin_keep) are secure choices. I think this is really
important.
- I'm having a hard time parsing this
* A session service can be written to automatically authenticate
methods, and replace the native client. This is hard to mitigate,
as as soon as you have untrusted code running in the session, it's
very easy to load exploit code using GTK_MODULES into previously
trusted applications, such as gpk-application.
but I don't think it's accurate. Even if you have hostile/malicious
client code it can't get past PolicyKit if you use auth_admin...
Unless it knows the root password, that is... (but then you've
already lost).
Hope this helps.
David
More information about the polkit-devel
mailing list